I use the signify tool to cryptographically sign all software downloads you will find on this site.
Whilst you technically don't need signify
to verify the integrity of
downloaded files, I strongly recommend using it to also verify the
signature. A portable version of the tool is available
here.
Obtaining the signature and checksum
If you decide to use signify
to verify downloaded files, you need to obtain
the detached signature linked on the respective project page and the public
release key (see below). Otherwise, you only need to fetch the checksum.
Obtaining the public key
To fully verify a download with signify
, first obtain my public
key. I keep a copy of the same key on DNS, feel free to
verify it therewith:
$ drill TXT releasekey.oriole.systems
Another copy of the key exists on the freenode IRC servers, in my taxonomy data:
/msg NickServ taxonomy wynn
You may want to keep the public key saved on your system for future verifications.
Verification with signify
Once you have downloaded my public key, run the following to verify your download:
$ signify -C -p release.pub -x <snapshot>.SHA256.sig
Signature Verified
<snapshot>: OK
Verification with sha256sum
Alternatively, if you don't want to install signify
, you can use
the sha256sum
tool to only verify the integrity of the download:
$ sha256sum -c <snapshot>.SHA256
<snapshot>: OK